Cores and Extras Heliotropic Computing

We use Syslog to report system events. Now if you want to prevent unauthorized access to your system , monitoring logins is mandatory. Syslog provides an option to monitor failed logins . As a system administrator you may use '#logins -x -l username' to check login status of a particular user. But if you want to check failed logins to detect a potential threat about unauthorized access you need to take some easy steps. Before proceeding to those steps , some idea about a system file i.e '/etc/syslog.conf' is necessary.
Open the file , you will find some lines like :

*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *

Here the first field is Selector field and second field is Action field. Each line is written as Selector <Tab> Action ..in this way.  Selector field has again two parts , facility and level . They are written as facility1.level1:facility2.level2:facility3.level3 ..in this way. Action field determines where the message will be forwarded. Here *.err means error from any facility , kern stands for kernel , crit for critical etc. Detail description about facilities and levels is available here.
Now let's come back to the steps to detect failure logins.

i) edit /etc/default/login
here you can change the default values of TIMEOUT, SLEEPTIME, DISABLETIME, RETRIES etc. Make sure SYSLOG=YES is mentioned there. Now if you want to log a message after a single unsuccessful login attempt then make 'SYSLOG_FAILED_LOGINS=0'.

ii) create a log file : #touch /var/adm/faillog , give appropriate permission : chmod 600 /var/adm/faillog , select suitable group : chgrp sys /var/adm/faillog.

iii) edit /etc/syslog.conf
add a line : auth.notice<Tab>/var/adm/faillog

iv)then execute ' svcadm refresh system/system-log'.

Also check out man logger to know how to add entries to the system log, man  syslogd to log system messages and man logadm to manage endlessly growing log files.